From cea37fb8ca1adc5f55d94f0c1383f02523e9c42c Mon Sep 17 00:00:00 2001 From: Ingolf Wagner Date: Sun, 7 Jan 2024 00:27:29 +0100 Subject: [PATCH] made s3 buckets work --- flake.lock | 8 ++-- nixos/components/network/nginx.nix | 1 + nixos/components/network/tinc/private.nix | 1 + nixos/homes/common/packages.nix | 4 ++ nixos/machines/chungus/services-s3.nix | 10 ++++ .../terranix.org/.gitignore | 0 .../targets/namecheap/__backend.tf | 18 +++++++ .../targets/namecheap/__provider.tf | 0 .../terranix.org/targets/namecheap/main.tf | 0 .../targets/namecheap/terragrunt.hcl | 10 ++-- terraform/terranix.org/targets/terragrunt.hcl | 31 ++++++++++++ terranix/dummy_server/config.nix | 48 ------------------- terranix/dummy_server/shell.nix | 48 ------------------- 13 files changed, 76 insertions(+), 103 deletions(-) rename {terranix => terraform}/terranix.org/.gitignore (100%) create mode 100644 terraform/terranix.org/targets/namecheap/__backend.tf rename {terranix => terraform}/terranix.org/targets/namecheap/__provider.tf (100%) rename {terranix => terraform}/terranix.org/targets/namecheap/main.tf (100%) rename {terranix => terraform}/terranix.org/targets/namecheap/terragrunt.hcl (80%) create mode 100644 terraform/terranix.org/targets/terragrunt.hcl delete mode 100644 terranix/dummy_server/config.nix delete mode 100644 terranix/dummy_server/shell.nix diff --git a/flake.lock b/flake.lock index f689836..556b319 100644 --- a/flake.lock +++ b/flake.lock @@ -1308,11 +1308,11 @@ "secrets": { "flake": false, "locked": { - "lastModified": 1703323989, - "narHash": "sha256-YC2itrHIVrg1TazWnsuZ51BBYD3HJMFKONgh9RWn5Qk=", + "lastModified": 1704582381, + "narHash": "sha256-GC56ZF7qAtRqxF/SchmlVN86mA4BMwRFRz411utqUvc=", "ref": "main", - "rev": "23c91088d677f3f1e7d21bb1a8afd4f729d1e030", - "revCount": 61, + "rev": "cd333595c000cd2b1cbce7b2a6027fd6c3f07769", + "revCount": 62, "type": "git", "url": "ssh://gitea@git.ingolf-wagner.de/palo/nixos-secrets.git" }, diff --git a/nixos/components/network/nginx.nix b/nixos/components/network/nginx.nix index e063797..8e4609d 100644 --- a/nixos/components/network/nginx.nix +++ b/nixos/components/network/nginx.nix @@ -48,6 +48,7 @@ with lib; locations."/" = { root = pkgs.landingpage.override { jsonConfig = [ + { title = config.networking.hostName; } { title = "System Links"; } { text = "Syncthings"; diff --git a/nixos/components/network/tinc/private.nix b/nixos/components/network/tinc/private.nix index da2fe9b..b940463 100644 --- a/nixos/components/network/tinc/private.nix +++ b/nixos/components/network/tinc/private.nix @@ -40,6 +40,7 @@ let "loki.chungus" = hosts.chungus; "prometheus.chungus" = hosts.chungus; "s3.chungus" = hosts.chungus; + "minio.chungus" = hosts.chungus; "sync.chungus" = hosts.chungus; "tdarr.chungus" = hosts.chungus; "trilium.chungus" = hosts.chungus; diff --git a/nixos/homes/common/packages.nix b/nixos/homes/common/packages.nix index e7c7927..8333fed 100644 --- a/nixos/homes/common/packages.nix +++ b/nixos/homes/common/packages.nix @@ -13,6 +13,10 @@ with lib; units parallel + + wget + curl + ]; } (mkIf config.gui.enable { diff --git a/nixos/machines/chungus/services-s3.nix b/nixos/machines/chungus/services-s3.nix index 90ba5bf..c05f6e5 100644 --- a/nixos/machines/chungus/services-s3.nix +++ b/nixos/machines/chungus/services-s3.nix @@ -3,11 +3,21 @@ services.minio = { enable = true; region = "home"; + rootCredentialsFile = config.sops.secrets.minioRootCredentials.path; }; + sops.secrets.minioRootCredentials = { }; + services.nginx = { enable = true; virtualHosts."s3.${config.networking.hostName}.private" = { + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://localhost:9000"; + }; + }; + virtualHosts."minio.${config.networking.hostName}.private" = { locations."/" = { recommendedProxySettings = true; proxyWebsockets = true; diff --git a/terranix/terranix.org/.gitignore b/terraform/terranix.org/.gitignore similarity index 100% rename from terranix/terranix.org/.gitignore rename to terraform/terranix.org/.gitignore diff --git a/terraform/terranix.org/targets/namecheap/__backend.tf b/terraform/terranix.org/targets/namecheap/__backend.tf new file mode 100644 index 0000000..f52dc97 --- /dev/null +++ b/terraform/terranix.org/targets/namecheap/__backend.tf @@ -0,0 +1,18 @@ +# Generated by Terragrunt. Sig: nIlQXj57tbuaRZEa +terraform { + backend "s3" { + bucket = "terraform-state-terranix-website" + encrypt = false + endpoint = "http://s3.chungus.private" + force_path_style = true + iam_endpoint = "http://s3.chungus.private" + key = "namecheap/terraform.tfstate" + region = "home" + skip_credentials_validation = true + skip_metadata_api_check = true + skip_region_validation = true + skip_requesting_account_id = true + skip_s3_checksum = true + sts_endpoint = "http://s3.chunugs.private" + } +} diff --git a/terranix/terranix.org/targets/namecheap/__provider.tf b/terraform/terranix.org/targets/namecheap/__provider.tf similarity index 100% rename from terranix/terranix.org/targets/namecheap/__provider.tf rename to terraform/terranix.org/targets/namecheap/__provider.tf diff --git a/terranix/terranix.org/targets/namecheap/main.tf b/terraform/terranix.org/targets/namecheap/main.tf similarity index 100% rename from terranix/terranix.org/targets/namecheap/main.tf rename to terraform/terranix.org/targets/namecheap/main.tf diff --git a/terranix/terranix.org/targets/namecheap/terragrunt.hcl b/terraform/terranix.org/targets/namecheap/terragrunt.hcl similarity index 80% rename from terranix/terranix.org/targets/namecheap/terragrunt.hcl rename to terraform/terranix.org/targets/namecheap/terragrunt.hcl index 8396ff3..00486a1 100644 --- a/terranix/terranix.org/targets/namecheap/terragrunt.hcl +++ b/terraform/terranix.org/targets/namecheap/terragrunt.hcl @@ -1,4 +1,8 @@ +include { + path = find_in_parent_folders() +} + inputs = { namecheap_user = run_cmd("--terragrunt-quiet", "pass", "show", "development/namecheap.com/username") namecheap_api_key = run_cmd("--terragrunt-quiet", "pass", "show", "development/namecheap.com/api-key") @@ -11,7 +15,7 @@ generate "provider" { terraform { required_providers { namecheap = { - source = "namecheap/namecheap" + source = "namecheap/namecheap" version = ">= 2.0.0" } } @@ -24,7 +28,7 @@ provider "namecheap" { api_key = var.namecheap_api_key } -variable "namecheap_user" { } -variable "namecheap_api_key" { } +variable "namecheap_user" {} +variable "namecheap_api_key" {} EOF } diff --git a/terraform/terranix.org/targets/terragrunt.hcl b/terraform/terranix.org/targets/terragrunt.hcl new file mode 100644 index 0000000..7051229 --- /dev/null +++ b/terraform/terranix.org/targets/terragrunt.hcl @@ -0,0 +1,31 @@ + +remote_state { + backend = "s3" + generate = { + path = "__backend.tf" + if_exists = "overwrite" + } + config = { + bucket = "terraform-state-terranix-website" + key = "${path_relative_to_include()}/terraform.tfstate" + region = "home" + encrypt = false + + endpoint = "http://s3.chungus.private" + iam_endpoint = "http://s3.chungus.private" + sts_endpoint = "http://s3.chunugs.private" + + force_path_style = true + enable_lock_table_ssencryption = false + skip_s3_checksum = true + skip_bucket_public_access_blocking = true + skip_bucket_enforced_tls = true + skip_credentials_validation = true + skip_bucket_root_access = true # use only if the AWS account root user should not have access to the remote state bucket for some reason + skip_bucket_versioning = true # use only if the object store does not support versioning + skip_bucket_ssencryption = true # use only if non-encrypted Terraform State is required and/or the object store does not support server-side encryption + skip_metadata_api_check = true + skip_region_validation = true + skip_requesting_account_id = true + } +} diff --git a/terranix/dummy_server/config.nix b/terranix/dummy_server/config.nix deleted file mode 100644 index 6c56f41..0000000 --- a/terranix/dummy_server/config.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ pkgs, lib, ... }: -let - hcloud-modules = pkgs.fetchgit { - url = "https://github.com/mrVanDalo/terranix-hcloud.git"; - rev = "5fa359a482892cd973dcc6ecfc607f4709f24495"; - sha256 = "0smgmdiklj98y71fmcdjsqjq8l41i66hs8msc7k4m9dpkphqk86p"; - }; - - #nixosInfect = pkgs.fetchgit { - # "url" = "https://github.com/elitak/nixos-infect.git"; - # rev = "928f9e5e1d63e77a91f2ca57ffa2be1fef3078ec"; - #sha256 = "0rs84c549l863vbnnqgnx7v6m2zlq0wz46jbhm4v1l1a25d966s1"; - #}; -in -{ - imports = [ (toString hcloud-modules) ]; - - # configure admin ssh keys - users.admins.palo.publicKey = - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC6uza62+Go9sBFs3XZE2OkugBv9PJ7Yv8ebCskE5WYPcahMZIKkQw+zkGI8EGzOPJhQEv2xk+XBf2VOzj0Fto4nh8X5+Llb1nM+YxQPk1SVlwbNAlhh24L1w2vKtBtMy277MF4EP+caGceYP6gki5+DzlPUSdFSAEFFWgN1WPkiyUii15Xi3QuCMR8F18dbwVUYbT11vwNhdiAXWphrQG+yPguALBGR+21JM6fffOln3BhoDUp2poVc5Qe2EBuUbRUV3/fOU4HwWVKZ7KCFvLZBSVFutXCj5HuNWJ5T3RuuxJSmY5lYuFZx9gD+n+DAEJt30iXWcaJlmUqQB5awcB1S2d9pJ141V4vjiCMKUJHIdspFrI23rFNYD9k2ZXDA8VOnQE33BzmgF9xOVh6qr4G0oEpsNqJoKybVTUeSyl4+ifzdQANouvySgLJV/pcqaxX1srSDIUlcM2vDMWAs3ryCa0aAlmAVZIHgRhh6wa+IXW8gIYt+5biPWUuihJ4zGBEwkyVXXf2xsecMWCAGPWPDL0/fBfY9krNfC5M2sqxey2ShFIq+R/wMdaI7yVjUCF2QIUNiIdFbJL6bDrDyHnEXJJN+rAo23jUoTZZRv7Jq3DB/A5H7a73VCcblZyUmwMSlpg3wos7pdw5Ctta3zQPoxoAKGS1uZ+yTeZbPMmdbw== cardno:000611343142"; - - users.admins.terranix.publicKey = "${lib.fileContents ./sshkey.pub}"; - - # configure provisioning private Key to be used when running provisioning on the machines - provisioner.privateKeyFile = toString ./sshkey; - - hcloud.nixserver = { - playground = { - enable = true; - channel = "nixos-20.09"; - provisioners = [ - #{ - # file.source = "${nixosInfect}/nixos-infect"; - # file.destination = "/root/nixos-infect"; - #} - { - file.source = "${toString ./../../images/translate-setup}"; - file.destination = "/root/translate-setup"; - } - ]; - configurationFile = pkgs.writeText "configuration.nix" '' - { pkgs, lib, config, ... }: - { environment.systemPackages = [ pkgs.git ]; } - ''; - }; - }; - -} diff --git a/terranix/dummy_server/shell.nix b/terranix/dummy_server/shell.nix deleted file mode 100644 index 0980057..0000000 --- a/terranix/dummy_server/shell.nix +++ /dev/null @@ -1,48 +0,0 @@ -{ pkgs ? import { } }: -let - terranix = pkgs.callPackage - (pkgs.fetchgit { - url = "https://github.com/mrVanDalo/terranix.git"; - rev = "2.3.0"; - sha256 = "030067h3gjc02llaa7rx5iml0ikvw6szadm0nrss2sqzshsfimm4"; - }) - { }; - - terraform = pkgs.writers.writeBashBin "terraform" '' - export TF_VAR_hcloud_api_token=`${pkgs.pass}/bin/pass development/hetzner.com/api-token` - ${pkgs.terraform_0_12}/bin/terraform "$@" - ''; - -in -pkgs.mkShell { - - buildInputs = [ - - terranix - terraform - - (pkgs.writers.writeBashBin "prepare" '' - set -e - set -o pipefail - ${pkgs.openssh}/bin/ssh-keygen -P "" -f ${toString ./.}/sshkey - '') - - (pkgs.writers.writeBashBin "build" '' - set -e - set -o pipefail - ${terranix}/bin/terranix | ${pkgs.jq}/bin/jq '.' > config.tf.json - ${terraform}/bin/terraform init - ${terraform}/bin/terraform apply - '') - - (pkgs.writers.writeBashBin "cleanup" '' - ${terraform}/bin/terraform destroy - rm ${toString ./.}/config.tf.json - rm ${toString ./.}/sshkey - rm ${toString ./.}/sshkey.pub - rm ${toString ./.}/terraform.tfstate* - '') - - ]; - -}